misp-circl-feed/feeds/circl/misp/d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6.json

252 lines
8.9 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2021-09-24",
"extends_uuid": "",
"info": "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines",
"publish_timestamp": "1632471296",
"published": true,
"threat_level_id": "1",
"timestamp": "1632471288",
"uuid": "d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"name": "type:OSINT"
},
{
"colour": "#0071c3",
"name": "osint:lifetime=\"perpetual\""
},
{
"colour": "#0087e8",
"name": "osint:certainty=\"50\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\""
},
{
"colour": "#12e200",
"name": "misp-galaxy:threat-actor=\"Turla Group\""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1632471034",
"to_ids": true,
"type": "sha256",
"uuid": "327ed82a-9666-498f-8ecc-192fc7c06f12",
"value": "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "4",
"timestamp": "1632471017",
"uuid": "4639d0ff-7a62-41b3-a940-cdcb09f3fe35",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1632471017",
"to_ids": false,
"type": "link",
"uuid": "65654f61-cd9f-416f-a840-debc025dc4da",
"value": "https://blog.talosintelligence.com/2021/09/tinyturla.html"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1632471017",
"to_ids": false,
"type": "text",
"uuid": "4368eb41-7e59-4a68-b66c-c9c7c51a11dc",
"value": "Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "type",
"timestamp": "1632471017",
"to_ids": false,
"type": "text",
"uuid": "83b51ac8-9547-41f0-b3ac-5f6c4cfa2ebb",
"value": "Blog post"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1632471060",
"uuid": "eefe6bfb-d38a-4a21-bc00-ecbd6506cffd",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1632471060",
"to_ids": false,
"type": "text",
"uuid": "d670480f-3907-4e8b-87cb-f3e905b41082",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1632471060",
"to_ids": true,
"type": "yara",
"uuid": "150de82b-b716-475b-a8c3-bd093c32c9db",
"value": "import \"pe\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \"Cisco Talos\"\r\ndescription = \"Detects Tiny Turla backdoor DLL\"\r\nstrings:\r\n$a = \"Title:\" fullword wide\r\n$b = \"Hosts\" fullword wide\r\n$c = \"Security\" fullword wide\r\n$d = \"TimeLong\" fullword wide\r\n$e = \"TimeShort\" fullword wide\r\n$f = \"MachineGuid\" fullword wide\r\n$g = \"POST\" fullword wide\r\n$h = \"WinHttpSetOption\" fullword ascii\r\n$i = \"WinHttpQueryDataAvailable\" fullword ascii\r\n\r\ncondition:\r\npe.is_pe and\r\npe.characteristics & pe.DLL and\r\npe.exports(\"ServiceMain\") and\r\nall of them\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1632471288",
"uuid": "96abab21-a8a7-4869-b680-89144e5625e7",
"ObjectReference": [
{
"comment": "",
"object_uuid": "96abab21-a8a7-4869-b680-89144e5625e7",
"referenced_uuid": "f06729c8-10e4-4d20-9605-1661be3ae2c7",
"relationship_type": "analysed-with",
"timestamp": "1632471126",
"uuid": "ddab642d-65a9-4959-9171-68d8fcde64eb"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1632471288",
"to_ids": true,
"type": "md5",
"uuid": "3b77b5ee-d61f-4058-b201-96bba8d4b1b0",
"value": "028878c4b6ab475ed0be97eca6f92af9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1632471288",
"to_ids": true,
"type": "sha1",
"uuid": "38d60352-93fb-4aa3-ac12-0d5c1f52bc7d",
"value": "02c37ccdfccfe03560a4bf069f46e8ae3a5d2348"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1632471288",
"to_ids": true,
"type": "sha256",
"uuid": "ca150bd0-5e16-496f-b43d-0b655cb96c37",
"value": "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "4",
"timestamp": "1632471126",
"uuid": "f06729c8-10e4-4d20-9605-1661be3ae2c7",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "last-submission",
"timestamp": "1632471034",
"to_ids": false,
"type": "datetime",
"uuid": "e8315fa6-f0c1-4e44-9bcc-c7a6d7aa8ebb",
"value": "2021-09-24T06:19:11+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "permalink",
"timestamp": "1632471034",
"to_ids": false,
"type": "link",
"uuid": "0643f79e-7e59-46ad-b98d-b00f28b73c5c",
"value": "https://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/detection/f-030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01-1632464351"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1632471034",
"to_ids": false,
"type": "text",
"uuid": "b6fb0bca-c924-4dfc-937b-30cfe83b1ceb",
"value": "48/68"
}
]
}
]
}
}